Creating a custom AuthenticationProvider object

Spring Security delegates to an AuthenticationProvider object to determine whether a user is authenticated or not. This means we can write custom AuthenticationProvider implementations to inform Spring Security how to authenticate in different ways. The good news is that Spring Security provides quite a few AuthenticationProvider objects, so more often than not you will not need to create one. In fact, up until this point, we have been utilizing Spring Security's o.s.s.authentication.dao.DaoAuthenticationProvider object, which compares the username and password returned by UserDetailsService.